CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 2026/01/24 8:26 a.m.•8 views

CVE-2025-15516

CVE-2025-15516 affects the WordPress plugin All-in-One Video Gallery (versions 4.1.0–4.6.4). A missing capability check in the ajax_callback_store_user_meta() function allows authenticated users with Subscriber+ privileges to modify arbitrary string-based user meta keys for their own account. Imp...

4.3CVSS5.7AI score0.00161EPSS

Cvelist•added 2026/01/24 8:26 a.m.•35 views

CVE-2025-15516 All-in-One Video Gallery 4.1.0 - 4.6.4 - Missing Authorization to Authenticated (Subscriber+) Limited User Meta Update

The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxcallbackstoreusermeta function in versions 4.1.0 to 4.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, ...

4.3CVSS0.00161EPSS

Vulnrichment•added 2026/01/24 8:26 a.m.•2 views

CVE-2025-15516 All-in-One Video Gallery 4.1.0 - 4.6.4 - Missing Authorization to Authenticated (Subscriber+) Limited User Meta Update

4.3CVSS6AI score0.00161EPSS

ATTACKERKB•added 2026/01/24 8:26 a.m.•2 views

CVE-2025-15516

4.3CVSS6AI score0.00161EPSS

Exploits0References3Affected Software1

Patchstack•added 2026/01/24 5:57 a.m.•5 views

WordPress All-in-One Video Gallery plugin 4.1.0-4.6.4 - Missing Authorization to Authenticated (Subscriber+) Limited User Meta Update vulnerability

Missing Authorization to Authenticated Subscriber+ Limited User Meta Update vulnerability discovered by kr0d in WordPress Plugin All-in-One Video Gallery versions 4.1.0-4.6.4...

4.3CVSS5.5AI score0.00161EPSS

Positive Technologies•added 2026/01/24 12:0 a.m.•5 views

PT-2026-4592

The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax callback store user meta function in versions 4.1.0 to 4.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and...

4.3CVSS5.7AI score0.00161EPSS

CNNVD•added 2026/01/24 12:0 a.m.•6 views

WordPress plugin All-in-One Video Gallery has a security vulnerability

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

4.3CVSS5.8AI score0.00161EPSS

CVE•added 2026/01/23 3:28 a.m.•9 views

CVE-2026-0760

Foundational Software: Foundation Agents MetaGPT. The CVE-2026-0760 issue is in the deserialize_message function where unvalidated untrusted data can be deserialized, enabling Remote Code Execution with network access and no authentication. Documented impact states an attacker can execute code in...

9.8CVSS6.6AI score0.00993EPSS

OSV•added 2026/01/23 2:28 a.m.•3 views

GO-2026-4311 Fulcio is vulnerable to Server-Side Request Forgery (SSRF) via MetaIssuer Regex Bypass in github.com/sigstore/fulcio

Fulcio is vulnerable to Server-Side Request Forgery SSRF via MetaIssuer Regex Bypass in github.com/sigstore/fulcio...

5.8CVSS5.5AI score0.0022EPSS

Exploits1References3

SUSE CVE•added 2026/01/22 12:28 a.m.•1 views

SUSE CVE-2025-63647

A NULL pointer dereference in the parsemeta function src/httpddaap.c of owntone-server commit 334beb allows attackers to cause a Denial of Service DoS via sending a crafted DAAP request to the server...

7.5CVSS5.5AI score0.00352EPSS

Positive Technologies•added 2026/01/22 12:0 a.m.•6 views

PT-2026-4308

Name of the Vulnerable Software and Affected Versions Copilot affected versions not specified Description An issue exists in Copilot where improper neutralization of escape, meta, or control sequences can allow an unauthorized attacker to disclose information over a network. The issue involves th...

7.4CVSS5.3AI score0.00503EPSS

Exploits0References6

RedhatCVE•added 2026/01/21 3:27 p.m.•3 views

CVE-2026-0608

The Head Meta Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head-meta-data' post meta field in all versions up to, and including, 20251118 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.8AI score0.00203EPSS

Exploits0References1

Patchstack•added 2026/01/20 10:59 p.m.•7 views

WordPress FlatPM - Ad Manager, AdSense and Custom Code plugin <= 3.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Post Meta vulnerability

WordPress FlatPM - Ad Manager, AdSense and Custom Code plugin = 3.2.2 - Authenticated Contributor+ Stored Cross-Site Scripting via Custom Post Meta vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin FlatPM versions = 3.2.2...

6.4CVSS5.5AI score0.00203EPSS

Patchstack•added 2026/01/20 10:58 p.m.•7 views

WordPress Head Meta Data plugin <= 20251118 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Post Meta vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Head Meta Data versions = 20251118...

6.4CVSS5.4AI score0.00203EPSS

NVD•added 2026/01/20 3:20 p.m.•2 views

CVE-2026-0608

6.4CVSS0.00203EPSS

ATTACKERKB•added 2026/01/20 2:26 p.m.•3 views

CVE-2026-0608

6.4CVSS5.5AI score0.00203EPSS

CVE•added 2026/01/20 2:26 p.m.•12 views

CVE-2026-0608

CVE-2026-0608 affects the Head Meta Data WordPress plugin. It is a Stored Cross-Site Scripting via the head-meta-data post meta field in all versions up to 20251118. Exploitation requires authenticated access at the Contributor level or higher, enabling injection of scripts that run when users vi...

6.4CVSS5.7AI score0.00203EPSS